Data Processing Agreement
For use between PolicyKit operators and their enterprise customers — UK GDPR Article 28
Template Notice
This is a template Data Processing Agreement. It must be reviewed by qualified legal counsel before execution. Replace all [PLACEHOLDERS] and customise to your specific circumstances.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller:The customer organisation whose authorised representative accepts this DPA ("Controller" or "Customer")
- Data Processor: [COMPANY NAME], registered at [ADDRESS]("Processor" or "we"), operating the PolicyKit compliance document platform ("Service")
2. Background
The Controller uses the Service to generate compliance documents and manage employee policy acknowledgments. In doing so, the Controller may transfer personal data to the Processor for processing on the Controller's behalf. This DPA sets out the terms of that processing relationship under Article 28 of the UK GDPR / GDPR.
3. Subject Matter, Duration, and Nature of Processing
- Subject matter: Provision of AI-assisted compliance document generation and team acknowledgment tracking
- Duration: For the term of the Service subscription, plus any retention period required by this DPA
- Nature of processing: Storage, retrieval, organisation, and structuring of personal data; transmission to AI sub-processors for document generation; delivery of transactional emails
- Purpose: To provide the Service features subscribed to by the Controller, including document generation, acknowledgment tracking, audit reporting, and regulatory alert notifications
4. Categories of Data Subjects and Personal Data
The Processor may process the following categories of personal data on behalf of the Controller:
- Controller's authorised users: Email address, full name, company name, business type, jurisdiction, subscription status
- Controller's team members (invited via Hub plan): Email address, full name, policy acknowledgment timestamps, IP addresses at time of acknowledgment
5. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32), including: encryption in transit (TLS) and at rest (AES-256), row-level database security and access controls, hashed account passwords and API keys, and dedicated encryption of service credentials and webhook signing secrets. Ordinary profile fields (e.g. names, email addresses) are not separately field-encrypted and are protected by the encryption-at-rest and access-control measures above
- Not engage any sub-processor without prior specific or general written authorisation of the Controller, and inform the Controller of any intended changes concerning the addition or replacement of sub-processors
- Assist the Controller in ensuring compliance with obligations pursuant to Articles 32–36 of the GDPR, taking into account the nature of processing and the information available to the Processor
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless UK/EU law requires storage of the data
- Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller
6. Sub-processors
The Controller provides general written authorisation for the Processor to engage the following sub-processors. The Processor shall inform the Controller of any intended changes at least 30 days in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | US (AWS us-east-1/2) |
| Anthropic, PBC | AI document generation (if configured) | US |
| OpenAI, LLC | AI document generation (if configured) | US |
| Google LLC | AI document generation (if configured) | US |
| xAI Corp | AI document generation (if configured) | US |
| Resend, Inc. | Transactional email delivery | US |
| Vercel, Inc. | Hosting and edge infrastructure | US / Global |
| Stripe, Inc. | Payment processing | US |
7. International Transfers
Transfers of personal data from the UK or EEA to sub-processors in the United States are protected by:
- EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914 (for EU transfers)
- UK International Data Transfer Agreements (UK IDTAs) — as required under UK GDPR
Each sub-processor listed above maintains their own DPAs and transfer mechanisms. The Processor shall, upon request, provide details of the transfer mechanisms in place for each sub-processor.
8. Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller in responding to data subject rights requests (Articles 15–22 GDPR). The Controller is responsible for responding to data subjects directly. The Processor shall:
- Promptly forward any data subject requests received directly to the Controller
- Provide data exports on request to facilitate the Controller's response
- Delete or anonymise data on Controller instruction within 30 days
9. Security Incidents
The Processor shall notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting data processed under this DPA. The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.
10. Audit Rights
The Processor shall, upon reasonable prior notice (not less than 14 days) and no more than once per 12-month period, allow the Controller or its appointed auditor to inspect the Processor's data processing practices. The costs of any audit shall be borne by the Controller unless the audit reveals a material breach of this DPA.
11. Liability and Indemnity
The liability of each party under this DPA shall be subject to the limitations set out in the main Terms of Service agreement between the parties. Each party shall indemnify the other against any claims, damages, or fines arising from that party's breach of this DPA or applicable data protection law.
12. Term and Termination
This DPA shall remain in force for the duration of the Service subscription. Upon termination, the Processor shall, within 30 days, at the Controller's election: (a) return all personal data in a machine-readable format; or (b) securely delete all personal data. The Processor shall certify in writing that deletion has been completed.
13. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Execution
This DPA is incorporated into and forms part of the Terms of Service. By accepting the Terms of Service, the Customer agrees to be bound by this DPA. For Enterprise customers requiring a separately executed DPA, please contact us at the privacy email in our Privacy Policy.